npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@agenticprimitives/attestations

v0.0.0-alpha.5

Published

AttestationRegistry SDK — EAS-aligned with bilateral consent. Owns Association + JointAgreement + Evidence + Outcome + Validation + TrustUpdate credential types asserted into a single on-chain registry per ADR-0023.

Downloads

500

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

richcanvasrichcanvas

Keywords

agenticprimitivesattestations

Readme

@agenticprimitives/attestations

Agent reputation needs public, revocable claims pinned to a persistent identity — not to a key that rotates away. When an agent's track record lives on chain, three things must be true: the subject is an address that survives credential recovery, the claim cannot be anchored against a different subject by replaying a signature, and a "joint" claim genuinely carries both parties' consent. This package is the SDK for AttestationRegistry.sol, the single on-chain registry where those guarantees are enforced — bilateral consent is verified on chain from both party signatures, not assumed from a stored reference.

It is EAS-aligned where alignment helps (UID model, schema IDs, refUID chaining) and deliberately stricter where EAS is loose: one registry, credential types as discriminators rather than per-type contracts, and no issuer-unilateral revocation entrypoint at all.

Part of agenticprimitives — the trust substrate for the agent economy: one canonical Smart Agent identity with custody, delegation, naming, credentials, and audit evidence designed as one system.

What ships today

The W1 foundational slice — the cryptographic spine the contract and downstream packages already rely on:

  • CREDENTIAL_TYPE — keccak discriminators for Association, Evidence, Outcome, Validation, TrustUpdate, JointAgreement, PaymentReceipt (one registry, many types — ADR-0024 Decision 2).
  • computeAttestationUid(...) — recomputes the on-chain UID per AttestationRegistry._computeUid.
  • JOINT_CONSENT_TYPEHASH + jointConsentDigest(...) — the digest BOTH parties sign to consent to a joint agreement. assertJointAgreement recomputes it on chain and verifies both signatures (ERC-1271 / ECDSA); a stored consent reference is not consent (RW1-1, ADR-0027). chainId and the registry address are bound, so consent cannot be replayed cross-chain (ATT-3).
  • JOINT_ISSUER_TYPEHASH + jointIssuerDigest(...) — the issuer signs parties, schema, credential type/hash, agreement commitment, chain, and registry — never a bare hash (ATT-1).
  • ASSOCIATION_ATTESTATION_TYPEHASH + associationAttestationDigest(...) — binds the subject, so a known credential hash cannot be anchored against someone else (SC-2).
  • Request payload shapesAssociationAttestationRequest, JointAgreementAttestationRequest, matching the contract ABI.

Every typehash above MUST byte-equal its AttestationRegistry.sol constant — enforced by the cross-stack check:eip712-typehash-equality CI gate.

Planned for later waves per the W1 implementation wave plan: assertion builders (buildAssociationAssertion, buildJointAgreementAssertion), the AttestationClient read client, and revocation encoders (holder-only / either-party / validator-only per type).

How it's different

Against EAS and Verax, three concrete deltas:

  1. Contracts and SDK are one artifact. The EIP-712 typehashes in this package are CI-locked to the Solidity constants. In EAS-style stacks the client SDK and the chain are separate codebases that drift; here drift fails the build.
  2. Bilateral consent is verified, not asserted. A joint attestation requires both parties' signatures over a digest the contract recomputes. There is no resolver/module hook where consent semantics can be customized away (ADR-0023, D2).
  3. No issuerRevoke. Holders revoke their own associations; joint agreements revoke by either party; issuer revocation is off-chain via StatusList2021 (D-18). An issuer cannot unilaterally erase a subject's record.

The credential bodies themselves are W3C VCs from verifiable-credentials (type-only dependency); only their canonical hashes touch the chain. Vault-resident bodies stay private unless explicitly opted into public assertion (D-46).

Status

Foundational (W1) — code shipped; not production enforcement. The digest math, typehashes, and payload shapes above are real and gate-checked; the full builder/client surface lands in Wave 4 per the wave plan. See AUDIT.md.

Testnet/pilot-ready. Production launch is gated on the public checklist in the root README — including third-party contract audit and governance key rotation. Track every security finding live in docs/audits/findings.yaml.

Owns spine layers: 12–15. Authoritative spec: specs/242-trust-credentials-and-public-assertions.md — see spec.md for the symlink. Bounded surface: CLAUDE.md + capability.manifest.json.

Build

pnpm --filter @agenticprimitives/attestations typecheck
pnpm --filter @agenticprimitives/attestations test
pnpm --filter @agenticprimitives/attestations build